The main documents that you need to rely on when processing personal data are the Constitution of the Russian Federation (Article 24) and the Federal Law of July 27, 2006 No. 152-FZ (hereinafter referred to as the Law on Personal Data).
In Art. 24 of the Constitution of the Russian Federation states that “the collection, storage, use and dissemination of information about the private life of a person without his consent is not permitted.” The Personal Data Law defines the meaning of not only the key concepts that every employer will have to deal with in practice, but also introduces the principles and conditions for the processing of personal data, the rights of the subject of personal data and other important points.
The issues of protecting employee personal data are addressed in Chapter. 14 Labor Code of the Russian Federation.
What does the employee’s personal data include?
Personal data is any information relating to a directly or indirectly identified individual (subject of personal data). Typically, this data allows you to identify a specific person.
As part of the employment relationship, the employer can request only those personal data that are necessary to perform the job function. These include full name, information about previous work, documents that are necessary to get a job (passport, work book, etc.), information about education. The employer has no right to request information such as religion, since it is not required to perform a job function.
The complexity of processing personal data lies in the fact that at different stages of interaction and when solving various work tasks, the employer may have questions. For example, is the information contained in a candidate's resume considered personal data? Should he give consent in this case, even if he is not hired? Is it necessary to somehow coordinate with the employee the transfer of data to issue a pass? Is it possible to post a photo of an employee on the honor board without his consent? Is it allowed to post “black lists” of employees on the company website? What to do with the data of fired employees?
It is important to know the answers to all these questions. Moreover, the Ministry of Labor, Rostrud, and Roskomnadzor periodically publish explanations on them.
What is needed to obtain information
Finding the necessary information is easier when all the passport data is present - series and number, full name, date of birth and place of residence, etc. In practice, it often happens that only part of the passport data is known, and therefore you have to look for the missing information first. At the same time, you should be prepared to incur financial costs, since you won’t be able to find out a person’s passport details for free using your full name and date of birth.
So, what passport data can you not do without to obtain information about a person? This is first of all:
- Full name - knowledge of the last name, first name and patronymic (it should be remembered that the patronymic may be absent) is always important when searching for a person (although they can be changed). In addition, there is a real chance of finding namesakes with the same name and patronymic, so it is necessary to combine a search by full name with a search by other data;
- series and passport number - using them to find out the owner’s last name and other necessary information is quite possible, because each passport has a unique combination of numbers: four digits of the series (the first two indicate the region of issue, the second two indicate the year of the form) and six digits of the passport number. To do this, you must contact the government authorities with a corresponding application and pay a state fee (the requested information is confidential and can only be obtained for a compelling reason);
- place of registration - this information also helps to narrow the search or get new leads (for example, phone number, information from neighbors);
- date and place of birth - this information is an important clarification of the last name and first name and will help to weed out the majority of namesakes.
We recommend that you learn more about what passport data such as series and passport number can tell you.
Having passport data easily allows you to obtain information about the TIN of a citizen of the Russian Federation, which consists of 12 digits. This is open information and is easily accessible. Speaking about whether it is possible to find out passport data, which is already considered personal, using the TIN, it should be noted that this is only partially possible. The first two digits will show the code of the subject of Russia, the next two – the tax office number, the next 6 – the taxpayer’s record number. The rest of the information is in the tax service, but it is not subject to disclosure.
Sometimes knowing the TIN allows you to calculate the full name and address of the taxpayer; this is possible if the taxpayer has any debts. You should check their availability, for example, on the State Services website and, if found, select the “Redeem” item, then the mailing address will be displayed when generating a receipt.
What to do with the candidate’s personal data
Even at the stage of reviewing resumes, the company begins to collect personal data of candidates. She can save resumes in special programs, print them, save contacts for further communication, etc.
A resume usually contains a whole list of personal data - from phone number to information about education and previous places of work.
Roskomnadzor warns that the processing of personal data of applicants requires obtaining appropriate consent from them. Consent should be issued for the period of making a decision on acceptance or refusal of employment.
But there are exceptions when such consent is not required:
- if a recruitment agency with which the candidate has entered into an agreement acts on behalf of the applicant;
- when posting your resume on the Internet yourself.
The consent must indicate the purpose of obtaining personal data—considering a candidate for a vacant position. You can use a sample consent to the processing of personal data.
If an employer receives an applicant’s resume by email, he needs to take additional steps to confirm that the applicant himself sent the resume. For example, this could be inviting the applicant to an interview or responding to his email.
What to do if personal data is collected using a questionnaire
Often, an employer collects personal data of candidates using a standard questionnaire. Firstly, such a questionnaire must contain information about the period for its consideration and the decision to accept or refuse employment.
And secondly, it must comply with the requirements of clause 7 of the Regulations on the specifics of processing personal data carried out without the use of automation tools. It means that:
- the questionnaire must contain information about the purpose of processing personal data, the name (title) and address of the operator, full name and address of the subject of personal data, the source of obtaining personal data, the timing of processing personal data, a list of actions with personal data that will be performed during their processing, a general description of the data processing methods used by the employer;
- the questionnaire must contain a field in which the subject of personal data can mark his consent to processing;
- the questionnaire must be compiled in such a way that each of the subjects of personal data contained in the document has the opportunity to familiarize themselves with their data without violating the rights and legitimate interests of others;
- the questionnaire should not provide for combining fields intended for entering personal data, the purposes of processing of which are obviously incompatible.
Typically, the questionnaire is posted electronically on the company’s website, and consent to the processing of personal data is confirmed by checking the appropriate box.
What to do with the data of a candidate who was not hired
In this case, the data provided by the applicant must be destroyed within 30 days.
There are exceptions to this situation - cases provided for by the legislation on the state civil service. Then the applicant’s personal data will have to be stored for 3 years.
Sending inquiries to previous places of employment
At the interview stage, the employer may need to clarify some information about the employee or obtain additional information from previous employers.
To do this, he must obtain the consent of the applicant.
Personal information (Brief FAQ)
What is personal data?
Personal data
- any information relating to
an individual
, including: - his last name, first name, patronymic, - year, month, date and place of birth, - address, family, social, property status, education, profession, income -
other
information (see Federal Law-152, Article 3).
For example: passport data, financial statements, medical records, year of birth (for women), biometrics, other personal identification information.
Public
sources of personal data (address books, lists and other information support),
with the written consent
of an individual, may include his last name, first name, patronymic, year and place of birth, address, subscriber number and
other
personal data (see Federal Law-152, Art. .8).
Personal data is classified as restricted information and must be protected
in accordance with the legislation of the Russian Federation. When developing system security requirements, personal data is divided into 4 categories.
What is the operator and subject of personal data?
A personal data operator
is, as a rule, an organization, or more precisely a state or municipal body, a legal entity or an individual that organizes and (or) carries out the processing of personal data, as well as determining the purposes and content of the processing of personal data.
The subject of personal data
is an individual.
The operator is responsible for the protection of the subject’s personal data in accordance with the current legislation of the Russian Federation.
How to classify a personal data information system?
In order to classify a typical
personal data information system (ISPD) to a particular class, it is necessary to: I. Determine
the category
of personal data being processed: •
category 4
- anonymized and (or) publicly available personal data;
• category 3
- personal data that allows identification of the subject of personal data;
• category 2
- personal data that allows you to identify the subject of personal data and obtain additional information about him, with the exception of personal data related to category 1;
• category 1
- personal data relating to race, nationality, political views, religious and philosophical beliefs, health, intimate life.
II. Determine the volume
of personal data processed in the information system: •
volume 3
- the information system simultaneously processes data of
less than 1000
personal data subjects or personal data of personal data subjects within a specific organization;
• volume 2
- the information system simultaneously processes personal data
from 1,000 to 100,000
personal data subjects or personal data of personal data subjects working in the economic sector of the Russian Federation, in a government agency, living within a municipality;
• volume 1
- the information system simultaneously processes personal data of
more than 100,000 subjects
of personal data or personal data of subjects of personal data within a constituent entity of the Russian Federation or the Russian Federation as a whole;
III. Based on the results of the analysis of the initial data, a typical
ISPD is assigned one of the following
classes
(see table): • class 4 (K4) - information systems for which violation of the specified security characteristics of personal data processed in them does not lead to negative consequences for the subjects of personal data data; • class 3 (K3) - information systems for which a violation of the specified security characteristics of personal data processed in them may lead to minor negative consequences for the subjects of personal data; •class 2 (K2) - information systems for which a violation of the specified security characteristics of personal data processed in them may lead to negative consequences for the subjects of personal data; •class 1 (K1) - information systems for which a violation of the specified security characteristics of personal data processed in them can lead to significant negative consequences for the subjects of personal data.
Volume/Category | Volume 3 (<1,000, organization) | Volume 2 (1,000-100,000, industry, city) | Volume1 (>100,000, subject of the Federation) |
Category 4 (anonymized, public) | Class 4 | Class 4 | Class 4 |
Category 3 (identification) | Class 3 | Class 3 | Class 2 |
Category 2 (identification and more) | Class 3 | Class 2 | Class 1 |
Category 1 (medical, social) | Class 1 | Class 1 | Class 1 |
See the Procedure for Classifying Personal Data Information Systems introduced by
By order of FSTEC (Federal Service for Technical and Export Control) of Russia, FSB of Russia, Ministry of Information and Communications of Russia N 55/86/20
.
Judgment Day delayed until January 1, 2011
Personal data information systems created before the entry into force of Federal Law of the Russian Federation No. 152 “On Personal Data” must be brought into compliance with the requirements of this Federal Law no later than January 1, 2010 (see Federal Law No. 152, Article 25). This means that personal data operators who fail to comply with the very stringent requirements of Federal Law 152 will, from January 1, 2010, incur appropriate civil, administrative, disciplinary, and perhaps (God forbid) criminal
liability
. All information systems that have already been put into operation after February-April 2008 (from the moment of distribution of methodological documents by the FSTEC of Russia and the FSB of Russia), but do not comply with the requirements of Russian legislation in the field of personal data, may incur the specified liability earlier, for example, tomorrow morning .
Note. Changes to the Criminal Code of the Russian Federation, significantly tightening liability for violations affecting privacy, will also come into force on January 1, 2010.
ADDENDUM: But as always happens, personal data operators did not move much, and few managed to do everything that was required. On December 16, 2009, the State Duma adopted in the third reading amendments to Articles 19 and 25 of the Law “On Personal Data” (152-FZ). The deadline for bringing personal data information systems (PDIS) into compliance with this law was postponed by a year - until January 1, 2011. In addition, the law obliging the operator to use encryption (cryptographic) means to protect data when processing personal data was excluded from the law.
Mandatory requirements for the protection of personal data information systems
The main mandatory requirements for organizing an information security system depending on the class of a typical ISPD: For class 4 ISPD:
The list of measures for the protection of personal data is determined by the operator (depending on the possible damage)
For class 3 ISPD:
• declaration of conformity
or
mandatory certification according to information security requirements • obtaining a license from the FSTEC of Russia for activities related to the technical protection of confidential information (for distributed ISPD systems K3)
For ISPD class 2:
• mandatory certification for information security requirements • measures must be implemented to protect personal data from PEMIN • obtaining a license from the FSTEC of Russia for activities on technical protection of confidential information for distributed systems
For class 1 ISPD:
• mandatory certification for information security requirements • measures must be implemented to protect personal data from PEMIN • obtaining a license from the FSTEC of Russia for activities on technical protection of confidential information
Procedure for protecting the personal data information system
The sequence of actions when fulfilling the legal requirements for the processing of personal data: 1) Notification to the authorized body for the protection of the rights of personal data subjects about your intention to process personal data using automation tools; 2) Pre-project survey of the information system - collection of initial data; 3) Classification of the personal data processing system; 4) Construction of a private threat model in order to determine their relevance to the information system; 5) Development of a private technical specification for a personal data protection system; 6) Design of a personal data protection system; 7) Implementation and implementation of a personal data protection system; Fulfillment of requirements for engineering protection of premises, requirements for fire safety, security, power supply and grounding, sanitary and environmental requirements; 9) Certification (certification) for information security requirements; 10) Improving the qualifications of employees in the field of personal data protection; 11) Maintenance (outsourcing) of the personal data protection system.
When is certification and certification required?
Certification
of information systems according to information security requirements is mandatory: - for ISPD, in the case of assigning personal data to a state information resource (see “Special requirements and recommendations for the technical protection of confidential information”, State Technical Commission of Russia, 2001);
- in other cases - for ISPDn 1, 2 and 3 classes. For class 3 ISPD , by decision of the operator,
the mandatory certification procedure can be replaced by the procedure for declaring conformity (see “Main measures for the organization and technical support of the security of personal data processed in personal data information systems”, FSTEC of Russia, 2008, clause 3.11) .
Unfortunately, the declaration of conformity process is not currently regulated. Information security tools used in ISDN undergo a conformity assessment procedure in the prescribed manner (see “Regulations on ensuring the security of personal data during their processing in personal data information systems”, clause 5), including certification
for compliance with information security requirements (see "Main activities for organizing...", clause 3.3).
certification
must also be carried out for the absence of undeclared capabilities (see “Main measures for organizing ... ", clauses 4.2, 4.3).
Note:
1) Operators of ISPD, when carrying out measures to ensure the security of personal data (confidential information) during their processing in ISPD of classes 1, 2 and distributed information systems of class 3, must obtain a license to carry out activities for the technical protection of confidential information in the prescribed manner. 2) Applicants for certification of information security tools (developers of information protection systems, information security systems or personal data operators) must have a license to carry out activities for the development and/or production of means of protecting confidential information.
ADDENDUM: In connection with the publication of the order of the FSTEC of Russia dated February 5, 2010 No. 58 “On approval of the Regulations on methods and means of protecting information in personal data information systems” (registered by the Ministry of Justice of Russia on February 19, 2010, registration No. 16456; published: “ Rossiyskaya Gazeta", March 5, 2010, No. 46) do not apply
from March 15, 2010, to ensure the security of personal data when processed in personal data information systems, the following methodological documents of the FSTEC of Russia: • Main measures for the organization and technical support of the security of personal data processed in personal data information systems, approved by the Deputy Director of the FSTEC of Russia 15 February 2008; • Recommendations for ensuring the security of personal data during their processing in personal data information systems, approved by the Deputy Director of the FSTEC of Russia on February 15, 2008.
Responsibility for violations of personal data processing
Persons guilty of violating the requirements of Federal Law 152-FZ “On Personal Data” bear: - civil, - criminal (see Criminal Code of the Russian Federation, Art. 137, 140, 155, 183, 272, 273, 274, 292, Art. 81; Art. 90; Art. 195; Art. 237; Art. 391) and other liability provided for by the legislation of the Russian Federation (see by-laws on working with personal data, which are published in the constituent entities of the Russian Federation, departments and organizations).
Abbreviations used in the article: FSTEC
— Federal Service for Technical and Export Control.
PEMIN
- Side Electromagnetic Radiation and Interference
Collection and processing of personal data when applying for a job
Labor legislation determines the list of documents that an employer requests from an employee when applying for a job. At this stage, according to Art. 65 of the Labor Code of the Russian Federation, the following are requested:
- passport or other identity document;
- employment history;
- a document confirming registration in the individual (personalized) accounting system, including in the form of an electronic document;
- if necessary: military registration documents, a document on education and (or) qualifications or the presence of special knowledge, a certificate of the presence (absence) of a criminal record.
The employee’s consent is not required to enter personal data from these documents into the employment contract. When he signs an employment contract, he thereby already gives his consent.
Registration of a salary card and personal data of the employee
Many organizations issue a salary card to employees when hiring them. In this regard, the question may arise: does the bank need to obtain consent to transfer an employee’s personal data? Yes need.
It is important that:
- the list of personal data strictly corresponded to what was transferred to the bank;
- the purpose for obtaining personal data was indicated, namely to issue a salary card.
Roskomnadzor determines cases when the transfer of an employee’s personal data to a bank for opening salary cards must occur without consent:
- the agreement for issuing a bank card was concluded directly with the employee and its text directly provides for provisions for the transfer of employee data;
- the employer has a power of attorney to represent the employee’s interests when concluding an agreement with the bank for issuing a card and servicing it;
- the corresponding form and system of remuneration is prescribed in the collective agreement (Article 41 of the Labor Code of the Russian Federation).
It is worth considering that an employee may refuse to sign a consent to transfer data to the bank with which the company works. He may already have accounts and cards opened in another bank, and therefore it is more convenient for him to continue to be serviced by his bank.
Last year, liability for “wage slavery” was established. This means that an employee cannot be denied the right to change the credit institution to which the salary will be transferred.
Make sure there are no unknown bank accounts opened in your name
Often, passport data is used to open bank accounts and bank cards for illegal transactions. As a result, the owner of such an account may have problems with law enforcement agencies and the tax service.
You can find out which bank accounts are opened in your name by contacting the Federal Tax Service through the website. To do this, you need to go to the taxpayer’s Personal Account and submit a request. The service is provided free of charge.
If you find out that your data is being used by fraudsters, contact the police immediately, keeping a copy of the application with a receipt stamp in your possession. This will help you protect yourself from any possible problems with illegally opened accounts.
Placing “black lists” of employees on the website
Sometimes an employer boldly publishes publicly lists of former employees who were fired, for example, for loss of trust or repeated failure to perform duties.
It should be noted that this is regarded by law as a violation of the requirements for the processing of personal data. The Ministry of Labor warns about this, in particular, in Letter No. 14-2/B-803 dated 10/08/2018.
In this case, by publishing the reasons for dismissal, the employer discloses the employee’s personal information to third parties. This cannot be done without the employee’s consent.
What should be the consent to the processing of personal data?
Roskomnadzor in its recommendations formulates the following requirements:
- The content of consent must be specific and informed. That is, based on the information, one can make an unambiguous conclusion about the purposes, methods of processing, indicating the actions performed with personal data, and the volume of data processed.
- It is allowed to issue consent in the form of a separate document or as part of the text of the employment contract.
- Consent must meet the requirements for its content, in accordance with Part 4 of Art. 9 of the Law on Personal Data.
Find out who was interested in your property
Some types of fraud can be committed with your passport data in hand. Today, it is quite easy to obtain information about a property and its owner. Each person can receive an extract from the Unified State Register of Real Estate.
You, as a property owner, also have the opportunity to find out about those persons who have applied for information about the housing you own. This is regulated by Article 62 of the Federal Law of July 13, 2015 No. 218-FZ “On State Registration of Real Estate”.
You can contact the MFC and order a certificate of persons who were interested in real estate and received information about it for a certain period. The fee for obtaining a certificate in electronic form is 250 rubles, for a paper version – 400 rubles.
If you find that someone is showing interest in your real estate properties, then you should immediately file an application to prohibit the registration of transactions with your properties without your personal participation. This can be done at the MFC. In this case, scammers will not be able to sell or give your apartment to anyone by proxy.
Design of the honor board
The opposite situation is rewarding an employee in the form of an honor roll. But there are some subtleties here too.
Usually a photograph of a person is placed on the honor board and his full name is indicated. And all this is personal data that the employer does not have the right to display publicly in his office, even if the purpose of his actions is to encourage successful employees and thereby motivate the rest of the team.
To use an employee’s photo, you will also have to obtain consent.
Personal information for the pass
Most organizations now have access control. Accordingly, new employees are required to obtain a pass.
In this case, there is no need to obtain consent to the processing of personal data if:
- the company independently carries out access control;
- if the processing complies with the procedure provided for by the collective agreement, local acts adopted in accordance with Art. 372 Labor Code of the Russian Federation.
In the event that the access control is under the control of a third party, then consent is required.
Personal data – use in the enterprise
Chapter 14 of the Labor Code of the Russian Federation reveals the concept of employee PD. This is data that allows you to obtain certain characteristics of a person as an employee of a particular company (work experience, professional qualifications, salary, data on the Federal Tax Service, Pension Fund, etc.).
Such PD must be stored properly and used to help the employee perform his duties in accordance with his position and profession, move up the career ladder, improve his qualifications and gain new professional knowledge. PD is also used to protect employees and company property.
An employee’s personal information may contain only those data that relate to his professional qualities and features that allow him to perform his job duties. According to the Constitution of the Russian Federation, personal life is considered inviolable and confidential, and personal data is part of it.
This concept is narrowly defined in the Labor Code. It states that an employee’s PD is information necessary for enterprise management to perform their professional duties; this information relates to a specific employee.
PD processing
The purpose pursued by the processing and storage of PD at the enterprise is the need to correctly implement the company’s work activity. PD processing is necessary for:
- recording the fact of hiring an employee;
- certificates of grounds for career advancement;
- confirmation of the grounds for payment of wages;
- monitoring the implementation of production tasks and work.
Company employees must have access to information about how their personal data is stored and processed, so the employer is obliged to familiarize them with this information. Confirmation that employees have been notified of this is the personal signature of each of them.
Types of personal data in an enterprise
The enterprise needs to collect two types of PD:
- required for concluding an employment contract;
- requested and generated directly by the employer.
PD, which is stored at the enterprise in the personal files of each employee, usually contains the following data:
- about marital status and individual family members (dependents, children, age data, number, health data, etc.);
- copies of documents on state pension insurance;
- about a specific employee (passport data, profession, qualification characteristics, etc.).
The employer must create and approve an internal regulation that describes the procedure for storing personal data in the form of a Regulation on Personal Data or Instructions. These standards must be brought to the attention of employees who are responsible for collecting and processing personal information. They must strictly comply with all requirements set forth in such documents.
If all formalities are observed at the enterprise for the collection, storage and use of personal data, they will be maximally protected.
Responsibility for Disclosure
Law 152, which is designed to protect the personal data of individuals, provides exclusively for administrative liability in the event of disclosure of personal data at an enterprise. Accordingly, if a company is unable to provide its employees with complete protection of personal data, the employer can only be punished by a fine. This punishment is expressed in small amounts.
The fine that must be imposed on the employer when violations of this nature are detected can range from 5–10 thousand rubles. But this applies to a single violation. Typically, inspections reveal a significant number of such problems, and the amount of fines increases accordingly.
But financial costs are not the main consequence of improper use and storage of PD. Such facts affect the company’s reputational indicators. If employees agree to the processing of personal information, they must be sure that the company guarantees its correct storage and use.
What to do with the personal data of fired employees
It should be taken into account that there are requirements for the processing of personal data within the framework of accounting and tax accounting.
For example, employers are obliged to ensure the safety of documents necessary for the calculation, withholding and transfer of tax for 4 years (clause 5, clause 3, article 24 of the Tax Code of the Russian Federation). And here the consent of former employees, whether they like it or not, is not required.
Roskomnadzor reminds that after the expiration of the deadlines specified by law, the personal files of employees are transferred to archival storage for a period of 75 years. But the Law on Personal Data does not apply to the organization of archival storage and the use of archival documents with personal data of employees.